CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)
|
|
- Louise Fox
- 7 years ago
- Views:
Transcription
1 CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC) Version 1.0 Crown Copyright 2016 All Rights Reserved Page 1
2 Document History Version Date Description 1.0 October 2013 Initial issue Soft copy location DiscoverID This document is authorised by: Technical Director for COTS Assurance This document is issued by CESG For queries about this document please contact: Service Assurance Administration Team CESG Hubble Road Cheltenham Gloucestershire GL51 0EX United Kingdom Tel: +44 (0) The CAS Authority may review, amend, update, replace or issue new Scheme Documents as may be required from time to time. Page 2
3 CONTENTS I. OVERVIEW... 5 A. Introduction... 5 B. Service aims... 5 C. Future enhancements... 5 D. PSN on boarding and initial steps... 5 E. Conduct of the assessment... 5 F. Assumptions... 6 II. REQUIREMENTS... 7 A. Requirements for a PSN CA service... 7 Cryptographic Assurance... 7 Entropy Generation... 8 Entropy Design Description... 8 Entropy Justification... 9 Operating Conditions... 9 Health Testing... 9 Certificate validation... 9 Security architecture B. Format and delivery of evidence for a potential PSN CA service III. GLOSSARY Page 3
4 REFERENCES [a] [b] [c] The Process for Performing CAS Assessments, CESG Security Policy Framework, version 10, April 2013 Cabinet Office HMG IA Standard Number 4 Management of Cryptographic Systems, Issue 5.2, November 2012 CESG [d] HMG IA Standard No.4 - Supplement 10 Compliance, Issue 1.0, April 2011 [e] HMG IA Standard No.4 - Supplement 11 Incident reporting for cryptographic items, Issue 3.0, April 2013 [f] Cryptographic Standard - Cryptographic Mechanisms, Algorithms and Protocols, Issue 1.0, July 2010 (UK R) CESG [g] CAS PSN CA Service Requirement, version 1.8, July 2012 CESG [h] PSN Certificate Policy IPsec IL3, version 1.4, February 2013 PSNA [i] PSN certificate and CRL profiles for IPsec IL3, version 1.0, February PSNA [j] PSN Certificate Practice Template PSNA [k] PSN compliance public services network programme, version 3.7, July 2012 [l] PSN code template for the CoIco, CoP, CoCo, version 2.7, July 2012 Page 4
5 I. OVERVIEW A. Introduction 1. This document provides the CESG Assured Service (CAS) requirements for provision of a Certificate Authority (CA) that is part of the Public Services Network (PSN) Public Key Infrastructure (PKI). 2. This CAS service requirement supersedes the CAS PSN CA service requirement (ref[g]). Exceptionally, much of the structure of that document is retained in preference to the standard format for a CAS service requirement. B. Service aims 3. Operation of a PKI allows mutual recognition and trust between entities that use certificates issued by a CA. The process defined in this document sets out requirements that potential providers of a PSN IL3 service must satisfy. C. Future enhancements 4. CESG welcomes feedback and suggestions on possible enhancements to this Service Requirement. D. PSN on boarding and initial steps 5. A potential industry service Provider of a PSN CA must follow the standard PSN service compliance process (ref[k]). The service provider offers evidence of compliance against the PSN Code to the PSNA; the Code of Practice (CoP) which describes an agreement of service provider obligations and the Code of Interconnection (ColCo) which contains requirements of how the PSN network will connect to the PSN backbone known as the Government Conveyance Network (GCN). The PSNA describes these codes in the PSN Code Template (ref[l]). PSNA can be contacted via (currently psn@cabinet-office.gsi.gov.uk). 6. If PSNA approves the PSN Code, PSNA will give authority to proceed with a CAS assessment and pass details of the potential PSN CA service to CESG. 7. Upon an approved application, CESG will provide information about relevant CESG cryptographic policy and standards (as detailed later in this document), access to the PSN Certificate Policy (CP) (ref[h]) plus PSN certificate and CRL profiles (ref[i]), and access to the PSN Certificate Practice Statement (CPS) template (ref[j]). 8. The Provider must contract with CESG to perform the evaluation, compile an evidence pack, and return it to CESG. E. Conduct of the assessment 9. The basic assurance requirement is for the service provider to present evidence that their service satisfies PSN CA service requirements and related CESG cryptographic policy. The format of the evidence is at the discretion of the service Page 5
6 provider. The purpose of the evidence is to demonstrate that the proposed service is well designed, well implemented and well operated in line with industry good practice and relevant CESG Good Practice Guides and cryptographic policy. 10. The CAS assessment team may require clarification or additional evidence before giving a CAS assurance recommendation. Possible forms of additional evidence include new/updated documentation, design review(s) and an ITHC with improved scope. 11. The CAS assessment team will take a pragmatic approach when determining which elements of CESG policy and guidance are relevant to a PSN CA, and the degree of risk associated with limited or non-compliance to a control. F. Assumptions 12. Work is in hand to achieve HMG accreditation of the PSN CA by the PGA, and the outcome will be accreditation granted by the PGA. 13. The PSN on boarding process and accreditation by the PGA will confirm that service procedures implemented by the Provider to support the PSN CA service are mapped (where applicable) to the mandatory requirements of the Security Policy Framework (SPF) (ref[b]). 14. Accreditation by the PGA will confirm that risks are identified, understood and mitigated to an acceptable degree. 15. The assertion about physical security of premises and equipment made in the PSN Code and validated by PSNA will be confirmed by the PGA as part of the process of accreditation. 16. The assertion about security clearances of staff made in the PSN Code and validated by PSNA will be confirmed by the PGA as part of the process of accreditation. 17. This assurance methodology assumes that a significant proportion of the service being assessed is complete, and that the provider has clear designs and processes in place for any incomplete elements. This assurance methodology should not be used against unfinished systems or those still in the design stage, and is separate from accreditation of the service. Page 6
7 II. REQUIREMENTS A. Requirements for a PSN CA service 18. Each PSN CA service must comply with the PSN CP (ref[h]). Evidence of compliance must include a CPS defined against the PSN CP (ref[h]). 19. Each PSN CA must generate certificates and Certificate Revocation Lists (CRLs) in the format defined in the PSN certificate and CRL profiles (ref[i]). 20. Evidence will be required that the PSN CA will be subject to the compliance regime outlined in IS4 Supplement 10, Compliance (ref[d]), and will report any cryptographic incidents in accordance with the guidance provided in IS4 supplement 11, Incident reporting for Cryptographic Items (ref[e]). Cryptographic Assurance 21. Each PSN CA must comply with relevant CESG cryptographic policy, specifically Cryptographic Mechanisms, Algorithms and Protocols (ref[f]), and apply relevant cryptographic assurance requirements (including operational and physical requirements) for the implementation of cryptographic mechanisms (signing certificates and CRLs), the protection of signing keys, the protection of interactions between service elements and the protection of interactions between the PSN CA service and external elements. 22. Evidence will be required that any key material or cryptographic systems are handled in accordance with the policy for the classification and handling of such materials throughout their life cycle, as outlined in IA Standard 4, Management of Cryptographic Systems (IS4) (ref[c]). 23. Assurance of a PSN CA service for use in protecting the 334 tier of PSN requires confidence that a number of security relevant cryptographic controls have been implemented correctly. This confidence is reached via independent assessment of the cryptographic primitives. A service entering assurance must have had its cryptographic primitives tested via either the CAVP or CMVP FIPS process, CPA, or a previous CESG cryptographic assessment 1. The cryptographic primitives which must be assessed are those which are used in the production, signing, and revocation of PSN end-entity certificates for IPsec devices, in accordance with the PSN CP. 24. The certificate profile is specified in PSN certificate and CRL profiles (ref[i]). The supported algorithms are interim profile: 2048 bit RSA and SHA-1; and end state profile: ECDSA-256 and SHA The PSN CA service provider must supply evidence of independent validation of all these primitives, and a statement regarding the applicability of such validation 1 A vendor who believes that an alternative certification may cover the correct implementation of cryptographic primitives should contact CESG. Page 7
8 i.e. their assessment of why all security critical uses of cryptography within the operation of the PSN CA are covered by the validation. 26. Evidence must also be provided that the various cryptographic primitives have been tested end to end in a variety of common PSN CA service use cases (e.g. generation of a certificate, revocation of a certificate, renewal of a certificate); this testing may have been performed by the service provider, or via a third party. The intent is to show how the various products and components implementing cryptographic functionality within the provision of the service are working correctly together to provide the correct cryptographic protection of information. 27. As part of the CESG design review of the PSN CA service, any cryptographic areas which need particular attention will be highlighted. Entropy Generation 28. The generation of entropy for use in key generation and other cryptographic purposes is a critical security control, and must be independently validated by CESG to ensure sufficient provision of random bits for the intended purpose within a PSN CA. 29. Sufficient entropy for the generation of PSN CA signing keys can be ensured by: (RECOMMENDED) CESG evaluation of the design and implementation of the entropy generation within the service, including provision of additional entropy via a hardware-based noise source; or CESG evaluation of the design and implementation of the entropy generation within the service, and provision of additional external entropy i.e. from UK KPA; or provision of the PSN CA signing keys from UK KPA. 30. Sufficient entropy for generation of signatures (which require per-signature secrets) can be ensured by CESG evaluation of the design and implementation of the random number generation within the service, and provision of additional entropy via a hardware based noise source. 31. A PSN CA must generate non-sequential certificate serial numbers which include at least 20 bits of entropy. 32. To enable CESG evaluation of the design and implementation of the entropy source, the service provider must provide the following information. Entropy Design Description 33. Documentation shall cover the design of the entropy source as a whole, including the interaction of all entropy source components. It must describe the operation of the entropy source; how it works, how entropy is produced, and how unprocessed (raw) data can be obtained from within the entropy source for testing purposes. The documentation must describe the entropy source design indicating where the random comes from, where it is passed next, any post-processing of the raw outputs (hash, XOR, etc), if / where it is stored and, finally, how it is output from Page 8
9 the entropy source. Any conditions placed on the process (e.g. blocking) must be described in the entropy source design. Diagrams and examples are encouraged. 34. The design must include a description of the content of the security boundary of the entropy source, and a description of how the security boundary ensures that an adversary outside the boundary cannot affect the entropy rate. Entropy Justification 35. There must be a technical argument for where the unpredictability in the source comes from and why there is confidence in the entropy source exhibiting probabilitistic behaviour (an explanation of the probability distribution and justification for that distribution, given the particular source, is one way to describe this). This argument must include a description of the expected entropy rate and explain how it is ensured that sufficient entropy is going into the Deterministic Random Number Generation s seeding process. This discussion will justify why the entropy source can be relied upon to produce bits with sufficient entropy. Operating Conditions 36. Documentation must include the range of operating conditions under which the entropy source is expected to generate random data. It must clearly describe the measures that have been taken in the system design to ensure the entropy source continues to operate under those conditions. Similarly, documentation shall describe the conditions under which the entropy source is known to malfunction or become inconsistent. Methods used to detect failure or degradation of the source shall be included. Health Testing 37. All entropy source health tests and their rationale must be documented. This will include a description of the health tests, the rate and conditions under which each health test is performed (e.g. at start-up, continuously, or on demand), the expected results for each health test, and rationale indicating why each test is believed to be appropriate for detecting one or more failures in the entropy source. 38. CESG will validate that the documentation and analysis provided by the service provider is logically consistent and sound, and that the evidence provided is consistent with the design of the entropy source. CESG may also request samples from the raw (unwashed) entropy provider for testing. Certificate validation 39. Any aspects of the service which validate certificates must do so in accordance with the requirements in RFC5280, and the service provider must provide evidence of this validation behaviour. The validation must ensure that all certificate elements identified in the PSN certificate and CRL profiles (ref[i]) are processed correctly, and in particular that the basicconstraints extension is present and the ca flag is set to TRUE for all CA certificates. If the basicconstraints extension is not present or the ca flag is set to FALSE in a certificate then the service must not treat the certificate as a CA certificate. Page 9
10 Security architecture 40. The logical and physical design of the security architecture of the PSN CA, including separation of roles/functions, will be required. The results of a CESG design review of that security architecture will also be required. 41. General CA design and operation documentation will be required, including secure configuration that complies with PSN requirements and the configuration control process. 42. The scope and results of an IT Health Check will be required. B. Format and delivery of evidence for a potential PSN CA service 43. The evidence provided for the CAS assessment must be linked to the requirements of this service requirement and to relevant HMG IA Standards and cryptographic policy. 44. Although the format of the evidence is at the discretion of the Provider, the evidence should be presented (where possible) in a common portable format, such as PDF. 45. Evidence provided in relation to the PSN CP (ref[h]) should be reused if relevant. 46. At CESG discretion, the results from a CESG design review held before the PSN CA was submitted for CAS assessment may be sufficient and an additional design review will not be needed during the CAS assessment. If a new design review is needed, CESG will provide information about the process for preparing for and participating in a design review. 47. All valid and relevant evidence of existing assurance should be presented, e.g. CAS(T) approval for an underlying network (if connected and reliant upon networked services), ISO/IEC27001 for server hosting, and security enforcing product certifications such as CAPS/CPA/CC where applicable. 48. The Provider must list the full range of PSN CA service functions that the PSN CA service provides (in the first instance, PSN only asks for support to end-entity cryptographic devices using IPsec and the scope of this service requirement is limited to that service function but existing CAs may also be supporting identity (personnel/device), web services, , smartcards etc). All PSN certificates must be issued under the PSN CP (ref[h]) with a PSN CP OID. 49. CESG encourages Providers to obtain an industry recognised certification for all or part of their PSN CA service. While certification is not mandatory, details of certification should be submitted as part of the evidence pack when it is available and applicable. Valid industry recognised certification such as the following list will be accepted as supporting evidence. Please note - this list is not exhaustive. Other evidence of independent assessment will be accepted if the scope of the review is relevant to the PSN CA service being evaluated. (Associated documentation that details the differences between the current live CA service and PSN specific elements of the proposed PSN CA service will usually be required). Page 10
11 ETSI TS /047 ISO 2188:2006 PKI Implementation Audit tscheme Page 11
12 III. GLOSSARY Term CA CAPS CAS CAVP CC CMVP CP CPA CPS CRL ETSI TS ETSI TS ISO 21188:2006 OID PGA PKI PSN PSNA RA RFC5280 tscheme Meaning Certificate Authority. An entity that issues digital certificates CESG Assisted Products Service. A CESG assurance service CESG Assured Service Cryptographic Algorithm Validation Program. Validation of cryptographic algorithms under the security management and assurance group of NIST Common Criteria. An international assurance service Cryptographic Module Validation Program. Validation of cryptographic modules under the security management and assurance group of NIST Certificate Policy. Defines roles and responsibilities in a PKI Commercial Product Assurance. A CESG assurance service Certificate Practice Statement. Describes how a CA issues and manages certificates. Certificate Revocation List. A list of certificates that may no longer be trusted within a PKI. EU standards for certification authorities and electronic signature formats Practice and policy framework for PKI for financial services Object Identifier. Pan Government Accreditor. An individual with authority to accredit for pan-government use, responsible for approving operation of PSN connectivity service providers. Public Key Infrastructure Public Services Network. An infrastructure that connects HMG and other public sector organisations. Public Services Network Authority. The authority responsible for governance of the PSN Registration Authority. Responsible for functions that include approval or rejection of certificate applications and revocation or suspension of certificates. Specifies X.509 PKI certificate and CRL profiles An industry led self regulatory scheme that approves services against assessment criteria that it sets. Page 12
13 PAGE IS INTENTIONALLY LEFT BLANK Page 13
CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS
CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS Issue 1.1 Crown Copyright 2015 All Rights Reserved 1 of 9 Document History Version Date Description 0.1 November 2012 Initial Draft Version
More informationOFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT
SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT Version 1.3 Crown Copyright 2015 All Rights Reserved 49358431 Page 1 of 12 About this document This document describes the features, testing and deployment
More informationUNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.
CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION Version 1.0 Crown Copyright 2012 All Rights Reserved Page 1 Document History Version Date Description 0.1 June 2012 Initial Draft Version 1.0 July
More informationCPA SECURITY CHARACTERISTIC DATA SANITISATION - FLASH BASED STORAGE
12040940 CPA SECURITY CHARACTERISTIC DATA SANITISATION - FLASH BASED STORAGE Version 0.3 Crown Copyright 2012 All Rights Reserved CPA Security Characteristics for Data Sanitisation - Flash Based Storage
More informationCPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT
26579500 CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT Version 2.0 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 About this document This document describes the features, testing and deployment
More informationPROCESS FOR PERFORMING COMMERCIAL PRODUCT ASSURANCE (CPA) FOUNDATION GRADE EVALUATIONS
PROCESS FOR PERFORMING COMMERCIAL PRODUCT ASSURANCE (CPA) FOUNDATION GRADE EVALUATIONS Issue 2.4 SEPTEMBER 2014 Crown Copyright 2016 All Rights Reserved 41421324 Page 1 of 32 Foreword This document contains
More informationCPA SECURITY CHARACTERISTIC DATA AT REST ENCRYPTION: ALWAYS-ON MOBILE DEVICES
CPA SECURITY CHARACTERISTIC DATA AT REST ENCRYPTION: ALWAYS-ON MOBILE DEVICES Version 1.1 Crown Copyright 2016 All Rights Reserved 44335885 Page 1 of 6 About this document This document describes the features,
More informationOctober 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services
October 2014 Issue No: 2.0 Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services
More informationIT Heath Check Scoping guidance ALPHA DRAFT
IT Heath Check Scoping guidance ALPHA DRAFT Version 0.1 November 2014 Document Information Project Name: ITHC Guidance Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance
More informationUK Government IA Recent Changes and Update
UK Government IA Recent Changes and Update INTRODUCTION Agenda Part 1 Government IA and Cyber Security Background Quick Threat Update UK Government Cyber Security Initiative Government Asset Control in
More informationDanske Bank Group Certificate Policy
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
More informationSCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services
SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services Contents 1 Introduction...2 2 IA, CLAS Consulting and CHECK Testing...3 3 Information Assurance...4 4 Accreditation...5
More informationThales Service Definition for PSN Secure Email Gateway Service for Cloud Services
Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...
More informationGet Better Protected... Secure data sharing made possible with Updata s Encryption Overlay Service.
i Compliant Fully managed Encryption Overlay service enabling data sharing across secure networks. Provides operational efficiencies and cost savings through simplified procurement Get Better Protected...
More informationHow to gain accreditation for a G-Cloud Service
www.ascentor.co.uk How to gain accreditation for a G-Cloud Service Demystify the process As a registered supplier of G-Cloud services you will be keenly aware that getting onto the G-Cloud framework does
More informationCERTIFICATION PRACTICE STATEMENT UPDATE
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
More informationTrustis FPS PKI Glossary of Terms
Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate
More informationCPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY
3166116 CPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY Version 2.0 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 MIKEY-SAKKE Secure VoIP gateway About this document This document
More informationCPA SECURITY CHARACTERISTIC TLS VPN FOR REMOTE WORKING SOFTWARE CLIENT
29175671 CPA SECURITY CHARACTERISTIC TLS VPN FOR REMOTE WORKING SOFTWARE CLIENT Version 1.0 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 About this document This document describes the
More informationARTL PKI. Certificate Policy PKI Disclosure Statement
ARTL PKI Certificate Policy PKI Disclosure Statement Important Notice: This document (PKI Disclosure Statement, PDS) does not by itself constitute the Certificate Policy under which Certificates governed
More informationCryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager
Cryptographic and Security Testing Laboratory Deputy Laboratory Director, CST Laboratory Manager About our Cryptographic and Security Testing Laboratory Bringing together a suite of conformance testing
More informationGood Practice Guide: the internal audit role in information assurance
Good Practice Guide: the internal audit role in information assurance Janaury 2010 Good Practice Guide: the internal audit role in information assurance January 2010 Official versions of this document
More informationCA Certificate Policy. SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT
CA Certificate Policy SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT This page is intentionally left blank. 2 ODETTE CA Certificate Policy Version Number Issue Date Changed By 1.0 1 st April 2009 Original
More informationA. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template
G-Cloud Service Pan Government Security Accreditation Scope This form is intended for Suppliers of services on the G-Cloud to complete. Upon receipt, the G-Cloud Programme will check Section A, Reference
More informationUNCLASSIFIED CPA SECURITY CHARACTERISTIC SOFTWARE FULL DISK ENCRYPTION. Version 1.1. Crown Copyright 2011 All Rights Reserved
11590282 CPA SECURITY CHARACTERISTIC SOFTWARE FULL DISK ENCRYPTION Version 1.1 Crown Copyright 2011 All Rights Reserved CPA Security Characteristics for software full disk encryption Document History [Publish
More informationUNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved
18570909 CPA SECURITY CHARACTERISTIC REMOTE DESKTOP Version 1.0 Crown Copyright 2011 All Rights Reserved CPA Security Characteristics for CPA Security Characteristic Remote Desktop 1.0 Document History
More informationMicrosoft Trusted Root Certificate: Program Requirements
Microsoft Trusted Root Certificate: Program Requirements 1. Introduction The Microsoft Root Certificate Program supports the distribution of root certificates, enabling customers to trust Windows products.
More informationHMRC Secure Electronic Transfer (SET)
HM Revenue & Customs HMRC Secure Electronic Transfer (SET) Installation and key renewal overview Version 3.0 Contents Welcome to HMRC SET 1 What will you need to use HMRC SET? 2 HMRC SET high level diagram
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationNational Security Agency Perspective on Key Management
National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National
More informationApril 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level
April 2015 Issue No:1.0 Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level Application Guidance CCP Security and Information Risk Advisor Role, Practitioner Level
More informationOctober 2015 Issue No: 1.1. Security Procedures Windows Server 2012 Hyper-V
October 2015 Issue No: 1.1 Security Procedures Windows Server 2012 Hyper-V Security Procedures Windows Server 2012 Hyper-V Issue No: 1.1 October 2015 This document describes the manner in which this product
More informationCPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION
UNCLASSIFIED 24426399 CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION Version 1.0 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 UNCLASSIFIED Enterprise Management
More informationPublic-Key Infrastructure
Public-Key Infrastructure Technology and Concepts Abstract This paper is intended to help explain general PKI technology and concepts. For the sake of orientation, it also touches on policies and standards
More informationCertificate Policy. SWIFT Qualified Certificates SWIFT
SWIFT SWIFT Qualified Certificates Certificate Policy This Certificate Policy applies to Qualified Certificates issued by SWIFT. It indicates the requirements and procedures to be followed, and the responsibilities
More informationGPG13 Protective Monitoring. Service Definition
GPG13 Protective Monitoring Service Definition Issue Number V1.3 Document Date 27 November 2014 Author: D.M.Woodcock Classification UNCLASSIFIED Version G-Cloud 6 2014 Copyright Assuria Limited. All rights
More informationApplication Guidance CCP Penetration Tester Role, Practitioner Level
August 2014 Issue No: 1.0 Application Guidance CCP Penetration Tester Role, Practitioner Level Application Guidance CCP Penetration Tester Role, Practitioner Level Issue No: 1.0 August 2014 This document
More informationCertification Report
Certification Report EAL 4 Evaluation of SecureDoc Disk Encryption Version 4.3C Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification
More informationThales Service Definition for IL3 Encrypted Overlay for Cloud Services
Thales Service Definition for UK IL3 Encrypted Overlay Thales Service Definition for IL3 Encrypted Overlay for Cloud Services April 2014 Page 1 of 11 Thales Service Definition for UK IL3 Encrypted Overlay
More informationPublic Key Infrastructure for a Higher Education Environment
Public Key Infrastructure for a Higher Education Environment Eric Madden and Michael Jeffers 12/13/2001 ECE 646 Agenda Architectural Design Hierarchy Certificate Authority Key Management Applications/Hardware
More informationRelease Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved
NCP Secure Client Juniper Edition Service Release: 9.30 Build 102 Date: February 2012 1. New Features and Enhancements The following describe the new features introduced in this release: Visual Feedback
More informationController of Certification Authorities of Mauritius
Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)
More informationGatekeeper PKI Framework. Archived. February 2009. Gatekeeper Public Key Infrastructure Framework. Gatekeeper PKI Framework.
Gatekeeper Public Key Infrastructure Framework 1 October 2007 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright.
More informationFIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0
FIPS 40-2 Non- Proprietary Security Policy McAfee SIEM Cryptographic Module, Version.0 Document Version.4 December 2, 203 Document Version.4 McAfee Page of 6 Prepared For: Prepared By: McAfee, Inc. 282
More informationUKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme
CIS 3 EDITION 2 February 2014 UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme CONTENTS SECTION PAGE 1 Introduction 2 2 Requirements for Certification
More informationCPA SECURITY CHARACTERISTIC IPSEC VPN GATEWAY
CPA SECURITY CHARACTERISTIC IPSEC VPN GATEWAY Version 2.5 Crown Copyright 2016 All Rights Reserved 48770392 Page 1 of 25 About this document This document describes the features, testing and deployment
More informationResponse to NAF Consulting Paper
Response to NAF Consulting Paper Author: Tan Chuan Jin Email: chuanjin.tan@atosorigin.com Yeo Chien Jen Email: chienjen.yeo@atosorigin.com Version: 1.3 Document date: 21 September 2008 All rights reserved.
More informationCP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems
Certification Services Division Newton Building, St George s Avenue Northampton, NN2 6JB United Kingdom Tel: +44(0)1604-893-811. Fax: +44(0)1604-893-868. E-mail: pcn@bindt.org CP14 ISSUE 5 DATED 1 st OCTOBER
More informationOFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
More informationCitrix Password Manager, Enterprise Edition Version 4.5
122-B COMMON CRITERIA CERTIFICATION REPORT No. CRP235 Citrix Password Manager, Enterprise Edition Version 4.5 running on Microsoft Windows and Citrix Presentation Server Issue 1.0 June 2007 Crown Copyright
More informationNIST Test Personal Identity Verification (PIV) Cards
NISTIR 7870 NIST Test Personal Identity Verification (PIV) Cards David A. Cooper http://dx.doi.org/10.6028/nist.ir.7870 NISTIR 7870 NIST Text Personal Identity Verification (PIV) Cards David A. Cooper
More informationOracle Business Intelligence Enterprise Edition (OBIEE) Version 10.1.3.3.2 with Quick Fix 090406 running on Oracle Enterprise Linux 4 update 5 x86_64
122-B CERTIFICATION REPORT No. CRP250 Business Intelligence Edition (OBIEE) Version 10.1.3.3.2 with Quick Fix 090406 running on update 5 Issue 1.0 June 2009 Crown Copyright 2009 All Rights Reserved Reproduction
More informationBiometrics, Tokens, & Public Key Certificates
Biometrics, Tokens, & Public Key Certificates The Merging of Technologies TOKENEER Workstations WS CA WS WS Certificate Authority (CA) L. Reinert S. Luther Information Systems Security Organization Biometrics,
More informationCPA SECURITY CHARACTERISTIC IPSEC VPN FOR REMOTE WORKING SOFTWARE CLIENT
24419250 CPA SECURITY CHARACTERISTIC IPSEC VPN FOR REMOTE WORKING SOFTWARE CLIENT Version 2.1 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 About this document This document describes the
More informationArchived NIST Technical Series Publication
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-3 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William E. Burr Hildegard Ferraiolo David Cooper I N F
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y
More informationCryptography and Key Management Basics
Cryptography and Key Management Basics Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk DTU, Oct. 23, 2007 Erik Zenner (DTU-MAT) Cryptography and Key Management
More informationGatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria
Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from
More informationCertification Report
Certification Report EAL 4+ Evaluation of Entrust Authority Security Manager and Security Manager Administration v8.1 SP1 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationUNCLASSIFIED 12686381
12686381 CPA SECURITY CHARACTERISTIC IP FILTERING FIREWALLS Version 1.1 Crown Copyright 2011 All Rights Reserved CPA Security Characteristics for IP Filtering firewalls 26/07/2011 Document History Version
More informationCitrix NetScaler Platinum Edition Load Balancer Version 10.5 running on MPX 9700-FIPS, MPX 10500-FIPS, MPX 12500-FIPS, MPX 15500-FIPS appliances
122 CERTIFICATION REPORT No. CRP294 Citrix NetScaler Platinum Edition Load Balancer Version 10.5 running on MPX 9700-FIPS, MPX 10500-FIPS, MPX 12500-FIPS, MPX 15500-FIPS appliances Issue 1.0 November 2015
More informationSSLPost Electronic Document Signing
SSLPost Electronic Document Signing Overview What is a Qualifying Advanced Electronic Signature (QAES)? A Qualifying Advanced Electronic Signature, is a specific type of digital electronic signature, that
More informationOperating a CSP in Switzerland or Playing in the champions league of IT Security
Operating a CSP in Switzerland or Playing in the champions league of IT Security Agenda SwissSign Technology Products and Processes Legal Aspects and Standards Business Model Future Developments 2 SwissSign
More informationService Definition Document
Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE)
More informationCyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13
Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationJanuary 2015 Issue No: 2.1. Guidance to CESG Certification for IA Professionals
January 2015 Issue No: 2.1 Guidance to Issue No: 2.1 January 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or copied without specific permission
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationService "NCPCLCFG" is not running In this case, increase the WaitForConfigService setting until the problem is circumvented
NCP Secure Client Juniper Edition Service Release: 9.30 Build 186 Date: July 2012 1. New Features and Enhancements The following describes the new feature introduced in this release: Configurable Service
More informationUSB Portable Storage Device: Security Problem Definition Summary
USB Portable Storage Device: Security Problem Definition Summary Introduction The USB Portable Storage Device (hereafter referred to as the device or the TOE ) is a portable storage device that provides
More informationSecurity Policy. Trapeze Networks
MP-422F Mobility Point Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision]. TABLE OF CONTENTS 1. MODULE
More informationFebruary 2015 Issue No: 5.2. CESG Certification for IA Professionals
February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or
More informationOracle Identity and Access Management 10g Release 10.1.4.0.1 running on Red Hat Enterprise Linux AS Release 4 Update 5
122-B CERTIFICATION REPORT No. CRP245 Oracle Identity and Access Management 10g Release 10.1.4.0.1 running on Red Hat Enterprise Linux AS Release 4 Update 5 Issue 1.0 June 2008 Crown Copyright 2008 Reproduction
More informationNational Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
More informationUSB Portable Storage Device: Security Problem Definition Summary
USB Portable Storage Device: Security Problem Definition Summary Introduction The USB Portable Storage Device (hereafter referred to as the device or the TOE ) is a portable storage device that provides
More informationETSI TS 102 280 V1.1.1 (2004-03)
TS 102 280 V1.1.1 (2004-03) Technical Specification X.509 V.3 Certificate Profile for Certificates Issued to Natural Persons 2 TS 102 280 V1.1.1 (2004-03) Reference DTS/ESI-000018 Keywords electronic signature,
More informationIntegration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)
Integration Guide Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules Windows Server 2008 (32-bit and 64-bit) These installation instructions are intended to provide step-by-step instructions
More informationSP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter
SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals
More informationCertification Report
Certification Report McAfee Network Security Platform v7.1 (M-series sensors) Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationGOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement. www.memset.com
GOVERNMENT HOSTING Cloud Service Security Principles Memset Statement Summary - March 2014 The Cabinet Office has produced a set of fourteen Cloud Service Security Principles to be considered when purchasers
More informationSpillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012
Version 1.3.0 of 1 July 2012 Contents 1 Introduction... 3 1.1 Authority... 3 1.2 Objective... 3 1.3 Target audience... 3 1.4 Version... 3 1.5 Enquiries... 3 2. Framework for managing system changes...
More informationGatekeeper. Public Key Infrastructure Framework
Gatekeeper Public Key Infrastructure Framework V 3.0 NOVEMBER 2014 Gatekeeper Public Key Infrastructure Framework V 3.0 DECEMBER 2014 Foreword Information and Communication Technologies (ICT) are transforming
More informationLevel 3 Certificate in assessing candidates using a range of methods (7317)
Level 3 Certificate in assessing candidates using a range of methods (7317) Candidate guide A1 Assess candidates using a range of methods www.cityandguilds.com November 2004 About City & Guilds City &
More informationSafeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST
Safeguarding Data Using Encryption Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST What is Cryptography? Cryptography: The discipline that embodies principles, means, and methods
More informationTELSTRA RSS CA Subscriber Agreement (SA)
TELSTRA RSS CA Subscriber Agreement (SA) Last Revision Date: December 16, 2009 Version: Published By: Telstra Corporation Ltd Copyright 2009 by Telstra Corporation All rights reserved. No part of this
More information[SMO-SFO-ICO-PE-046-GU-
Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationUK IT SECURITY EVALUATION AND CERTIFICATION SCHEME DESCRIPTION OF THE SCHEME
UKSP 01 UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME UK Scheme Publication No 1 DESCRIPTION OF THE SCHEME Issue 4.0 February 2000 Crown Copyright 2000 This document must not be copied or distributed
More informationGatekeeper Public Key Infrastructure Framework. Compliance Audit Program
Gatekeeper Public Key Infrastructure Framework Compliance Audit Program V 2.1 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work is copyright. Apart from any use as permitted
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationCertification Report
Certification Report EAL 2+ Evaluation of Symantec Endpoint Protection Version 11.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationSupplier Assurance Framework Good Practice Guide
Supplier Assurance Framework Good Practice Guide Version 2.0 February 2015 1 P a g e V e r s i o n 2. 0 F e b 1 5 Contents INTRODUCTION... 3 SUPPLIER ASSURANCE FRAMEWORK OVERVIEW... 4 USING THE STATEMENT
More informationApple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015 Table of Contents 1. Introduction... 5 1.1. Trademarks...
More informationELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION
ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION This can be a complex subject and the following text offers a brief introduction to Electronic Signatures, followed by more background on the Register of
More informationFinal Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket
IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationSamsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target
Samsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target Version 0.6 2015/05/08 Prepared for: Samsung SDS 123, Olympic-ro 35-gil, Songpa-gu, Seoul, Korea 138-240 Prepared By: www.gossamersec.com
More informationGovernment Information Security System with ITS Product Pre-qualification
Government Information Security System with ITS Product Pre-qualification Wan S. Yi 1, Dongbum Lee 2, Jin Kwak 2, Dongho Won 1 1 Information Security Group, Sungkyunkwan University, 300 Cheoncheon-dong,
More information